Fake “Payment Certificate” Notifications Used to Deliver Cross-Platform RAT

JRAT infections

Experts warn that individuals in the United Kingdom and the United Arab Emirates are being targeted in a spam campaign that’s designed to distribute the Java remote access Trojan (RAT) dubbed JRAT.

Security researchers from Symantec say the campaign started on February 13. The cybercriminals are sending out fake “payment certificate” emails in hopes that the targets will open the attachments. The messages read something like this:

“Good afternoon, I have attached the payment certificate along with this email, please confirm receipt of it.”

The .jar file that’s attached to the notification (Paymentcert.jar) is not a certificate, but a piece of malware detected as Trojan.Maljava. When it’s executed, it drops JRAT, detected by Symantec as Backdoor.Jeetrat.

Because it’s a Java application, the RAT is cross-platform, which means that it can infect machines running Windows, OS X and Linux operating systems. Most infections with JRAT as a result of this campaign were identified between February 14 and February 19.

In addition to the UK and the UAE, the campaign has also impacted Germany, the US, Canada, India, China, Italy, and France.

“This campaign appears to be targeting specific individuals. Certain aspects of the attack seem to confirm the targeted nature of the campaign, such as the low victim numbers, a unique dropper, one command-and-control (C&C) server and the fact that the majority of these spam messages were sent to personal email addresses,” Symantec security expert Lionel Payet explained.

Cybercriminals using JRAT have a builder that enables them to easily customize the threat.

JRAT has been seen before. Symantec published an advisory on JRAT attacks back in July 2013. At the time, cybercriminals were leveraging news coverage surrounding the controversial NSA surveillance program PRISM to trick users into installing the RAT on their computers.

At the time, most of the targets were located in the United States, but infections were spotted all over the world.

“The popularity of these campaigns isn’t surprising, as if an attacker successfully infects a victim’s computer with a RAT, then they could gain full control of the compromised computer,” Payet explained in a blog post published on Thursday.

“Along with this, these threats aren’t limited to one operating system, as in theory, they focus on any computer that runs Java. Attackers have easy access to Java RATs thanks to the fact that a handful of these RATs’ source code is being openly shared online,” the expert added.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s